Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookup issues

ipops
Path Finder
‎08-26-2016 03:28 AM

Having issues getting the NANP app to work (https://splunkbase.splunk.com/app/1515/)

I have the following search but it does not return any lookup fields

sourcetype=ivrdata | eval {message}=varValue | stats first(LogTimestamp) as Time values(Phone) as phone values(Platform) as Platform by IVR_SessionID | WHERE Platform="FWA" | table areacode city latitude longitude

This search returns a phone number in the 1234567890 format as the "phone" field. Any idea what I am doing wrong here?

Here are the relevant files

props.conf

[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

transforms.conf

[getareacode]
REGEX = phone_no="?(\d{3}\d{3})
FORMAT = areacode::$1

Sample of areacode_latitude_longitude.csv

areacode,city,region,country,latitude,longitude
201200,Jersey City,NJ,US,40.7280556,-74.0780556
201202,Hackensack,NJ,US,40.8858333,-74.0438889
201203,Hackensack,NJ,US,40.8858333,-74.0438889
201204,Jersey City,NJ,US,40.7280556,-74.0780556

Tags (1)
0 Karma
Reply

ipops
Path Finder
‎08-26-2016 08:20 AM

I have removed and reinstalled the NANP app.

It's expecting a phone number in xxx-xxx format

transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}[-|.]\d{3})
FORMAT = areacode::$1

props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone_no OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

Using the following search but it's not returning any lookup data

sourcetype=ivrdata | WHERE IVR_Message="Phone" | rename IVR_Value AS phone_no | rex field=phone_no mode=sed "s/(\d{3})(\d{3})(\d{4})/\1-\2/g" | table phone_no city country latitude longitude region

any ideas where I am going wrong?

alt text

Preview file
33 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...